I'm building an application that retrieve any type of user input, even if the user put an xss injection code. Beside that i'm providing an admin view to show the full content of what the user put, either they put html code, bb code, xss, javascript, etc(something like for analysis purpose).

I don't want to remove any tag or script, i just want to display it in html with escaping. Is save if i put it on textarea tag ? I mean if the data is containing xss it would not executed if in text are ?

1 Answer
1

The code you have posted is prone to XSS if your admin opens specially crafted user input the attacker can gain administrative privileges to that page. Placing user code within textarea or any other tag does not protect from XSS attacks. All the hacker has to do is close textarea tag in his input and do whatever he wants to.

I'm glad that you found owasp cheet sheet :) it's very usefull you should follow it. Remeber to escape all user input that is placed on the page.

I would recomend using htmlspecialchars and then do some tests with: tags presented here. If you won't see an JS alert then your application is to some extent protected from xss attacks.

Thanks for your answer, i tried use the xss tag/code on that link, and i don't see any js alert. Is that mean 'htmlspecialchars' is enough ? but owasp tell that htmlspecialchars is not good enough.
–
AhmadNov 28 '12 at 12:59

You might see that owasp lists 6 special chars of which 5 are handled by htmlspecialchars I think you are good :)
–
fatfredyyNov 28 '12 at 13:15

and what is the one that htmlspecialchars can't handle ? can you write the link on the owasp about that ? because i read many link and makes me more confused.
–
AhmadNov 28 '12 at 13:31

it does not handle '/' but it handles '<' and '>' so I think this '/' is somewhat additional security measure :)
–
fatfredyyNov 28 '12 at 13:39